← Back to context

Comment by topspin

4 months ago

> People only use Nix because it doesn't randomly break, bitrot or require arcane system setup.

I'll stipulate this, despite knowing and appreciating the much greater value Nix has.

Then, the problem that Nix solves isn't something container users care about. At scale, the bare metal OS hosting containers is among the least of one's problems: typically a host image is some actively maintained, rigorously tested artifact provided by one of a couple different reliable sources. Ideally container users are indifferent to it, and they experience few if any surprises using them, including taking frequent updates to close vulnerabilities.

> Unlike containers.

Containers randomly break or bitrot? I've never encountered that view. They don't do this as far as I'm aware. Container images incorporate layer hashing that ensure integrity: they do not "bitrot." Image immutability delivers highly consistent behavior, as opposed to "randomly break." The self-contained nature of containers delivers high portability, despite differences in "system setup." I fail to find any agreement with these claims. Today, people think nothing of developing images using one set of tools (Docker or what have you) and running these image using entirely distinct runtimes (containerd, cloud service runtimes, etc.) This is taken entirely for granted, and it works well.

> Arcane system setup.

I don't know what is meant by "system setup" here, and "arcane" is subjective. What I do know is that the popular container systems are successfully and routinely used by neophytes, and that this doesn't happen when the "system setup" is too demanding and arcane. The other certainty I have is that whatever cost there is in acquiring the rather minimal knowledge needed to operate containers is vastly smaller than achieving the same ends without containers: the moment a system involves more than 2-3 runtime components, containers start paying off verses running the same components natively.

4 comments

topspin

Reply
otabdeveloper4  4 months ago

> Containers randomly break or bitrot?

All the fucking time. Maybe it's possible to control your supply chain properly with containers, but nobody actually does that. 99% of the time they're pulling in some random "latest image" and applying bespoke shell commands on top.

> I don't know what is meant by "system setup" here, and "arcane" is subjective.

Clearly you've never debugged container network problems before.

  • topspin  4 months ago

    > but nobody actually does that

    They do. I assure you.

    > they're pulling in some random "latest image"

    Hardly random. Vendoring validated images from designated publishers into secured private repos is the first step on the supply chain road.

    > Clearly you've never debugged container network problems before.

    Configuring Traefik ingress to forward TCP connections to pods was literally the last thing I did yesterday. At one time or another I've debugged all the container network problems for every widely used protocol in existence, and a number of not so common ones.

    • otabdeveloper4  4 months ago

      > first step on the supply chain road

      99 percent of Docker container users aren't on the supply chain road. They just want to "docker pull", #yolo.

      > Configuring Traefik ingress to forward TCP connections to pods was literally the last thing I did yesterday

      Docker does crazy insane modifications to your system settings behind the scenes. (Of which turning off the system firewall is the least crazy.)

      Have fun when the magic Docker IP addresses happen to conflict with your corporate LAN.

      1 reply →